<div dir="ltr">Hi Malgorzata,<div><br></div><div>Thanks for your reply. It was not my intention to verify client certificates. I misunderstood verifyCheck = yes to mean it would verify the certificate of the server to which stunnel is connecting. I've removed this from my config and also enabled debug logging as you suggested.</div><div><br></div><div>I did some more playing around and managed to get it working by defining two services. The first service accepts TLS connections and connects to the second service running on a different port which then connects to Office 365. I've been able to send emails through Office 365 by pointing my Thunderbird at stunnel. Here's my config:</div><div><br></div><div><br></div><div><div>setuid = nobody</div><div>setgid = nogroup</div><div>pid = /usr/local/var/run/stunnel/<wbr>stunnel.pid</div><div>debug = debug</div><div>output = /usr/local/var/log/stunnel/<wbr>stunnel.log</div><div>[uwo2local]</div><div>accept = 50025</div><div>cert = /usr/local/etc/stunnel/<wbr>stunnel.pem</div><div>connect = 52025 </div><div>protocol = smtp</div><div>[local2o365]</div><div>client = yes</div><div>accept = <a href="http://127.0.0.1:52025" target="_blank">127.0.0.1:52025</a></div><div>connect = <a href="http://smtp.office365.com:587" target="_blank">smtp.office365.com:587</a></div><div>CApath = /etc/ssl/certs</div><div>OCSPaia = yes</div><div>protocol = smtp</div></div><div><br></div><div><br></div><div>The one thing I'm wondering about is the checkHost option. Should I be adding checkHost = <a href="http://smtp.office365.com" target="_blank">smtp.office365.com</a> to verify the certificate of <a href="http://smtp.office365.com">smtp.office365.com</a>? Whenever I add this option, it tells me:</div><div><div>[!] /usr/local/etc/stunnel/stunnel<wbr>.conf:87: "checkHost = <a href="http://smtp.office365.com" target="_blank">smtp.office365.com</a>": Specified option name is not valid here</div></div><div><br></div><div><br></div><div>Thanks,</div><div>Andrew</div><div><br></div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><b><font face="verdana, sans-serif" color="#3d85c6">Andrew Culver</font></b></div><div><font face="verdana, sans-serif" color="#999999">System Administrator</font></div><div><a href="https://www.uwo.ca/its" target="_blank"><font face="verdana, sans-serif" color="#999999">Information Technology Services</font></a></div><div><a href="https://www.uwo.ca" target="_blank"><font face="verdana, sans-serif" color="#999999">University of Western Ontario</font></a></div><div><font face="verdana, sans-serif"><font color="#999999">e: </font><a href="mailto:aculver@uwo.ca" target="_blank"><font color="#999999">aculver@uwo.ca</font></a></font></div><div><font face="verdana, sans-serif" color="#999999">p: <a href="tel:15196612111,80265" target="_blank"><font color="#999999">519-661-2111 x80265</font></a></font></div><font face="verdana, sans-serif" color="#999999">cal: <a href="http://goo.gl/wVoDlo" target="_blank"><font color="#999999">html</font></a> | <a href="http://goo.gl/ncUjV0" target="_blank"><font color="#999999">ics</font></a></font><br></div><div dir="ltr"><font face="verdana, sans-serif" color="#999999"><a><font color="#999999"><br></font></a></font></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Jan 19, 2017 at 5:40 AM, Małgorzata Olszówka <span dir="ltr"><<a href="mailto:gosia@olszowka.net" target="_blank">gosia@olszowka.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
We have a number of hosts in private IP space that we'd like to be able<br></span>
to send mail to <a href="http://smtp.office365.com:587" rel="noreferrer" target="_blank">smtp.office365.com:587</a> <<a href="http://smtp.office365.com:587" rel="noreferrer" target="_blank">http://smtp.office365.com:587</a><wbr>>.<span class=""><br>
I'm trying to configure stunnel for this purpose.<br>
<br>
What I'd like is to set up a stunnel instance on a server which will<br>
accept TLS connections on port 50025. Stunnel will then connect to<br>
</span><a href="http://smtp.office365.com:587" rel="noreferrer" target="_blank">smtp.office365.com:587</a> <<a href="http://smtp.office365.com:587" rel="noreferrer" target="_blank">http://smtp.office365.com:587</a><wbr>> which also uses<span class=""><br>
TLS. How can I do this?<br>
<br>
I am able to configure stunnel to accept my connection on 587, but the<br>
connection is immediately closed (below). If I add client = yes, then I<br>
just get:<br>
<br>
<br></span><span class="">
aculver stunnel # egrep -v '^;|^$' stunnel.conf<br>
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2015<br>
setuid = nobody<br>
setgid = nogroup<br>
pid = /usr/local/var/run/stunnel/stu<wbr>nnel.pid<br>
[o365-smtp]<br>
accept = 50025<br>
cert = /usr/local/etc/stunnel/stunnel<wbr>.pem<br></span>
connect = <a href="http://smtp.office365.com:587" rel="noreferrer" target="_blank">smtp.office365.com:587</a> <<a href="http://smtp.office365.com:587" rel="noreferrer" target="_blank">http://smtp.office365.com:587</a><wbr>><span class=""><br>
verifyChain = yes<br>
CApath = /etc/ssl/certs<br>
protocol = smtp<br>
<br></span><span class="">
aculver stunnel # openssl s_client -starttls smtp -connect localhost:50025<br>
CONNECTED(00000003)<br></span>
...<span class=""><br>
139954991064736:error:14094410<wbr>:SSL routines:SSL3_READ_BYTES:sslv3 alert<br>
handshake failure:s3_pkt.c:1263:SSL alert number 40<br>
139954991064736:error:140790E5<wbr>:SSL routines:SSL23_WRITE:ssl handshake<br>
failure:s23_lib.c:177:<br>
---<br>
<br>
</span></blockquote>
Hi Andrew,<br>
I suggest you set the debugging stuff, it may be useful for troubleshooting:<br>
debug = debug<br>
output = /usr/local/var/log/stunnel.log<br>
<br>
In the stunnel.log file, you can find all log messages from stunnel, I think in this case:<br>
<br>
<a href="tel:2017.01.19%2005" value="+12017011905" target="_blank">2017.01.19 05</a>:08:28 LOG7[10763]: TLS alert (write): fatal: handshake failure<br>
<a href="tel:2017.01.19%2005" value="+12017011905" target="_blank">2017.01.19 05</a>:08:28 LOG3[10763]: SSL_accept: 140890C7: error:140890C7:SSL routines:ssl3_get_client_certi<wbr>ficate:peer did not return a certificate<br>
<a href="tel:2017.01.19%2005" value="+12017011905" target="_blank">2017.01.19 05</a>:08:28 LOG5[10763]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket<br>
<br>
Your [o365-smtp] service requests the peer certificate and verify the peer certificate chain, so you should send the client certificate.<br>
<br>
# openssl s_client -starttls smtp -connect localhost:50025 -cert mycert.pem<br>
<br>
Regards<br>
<br>
______________________________<wbr>_________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" rel="noreferrer" target="_blank">https://www.stunnel.org/cgi-bi<wbr>n/mailman/listinfo/stunnel-use<wbr>rs</a><br>
</blockquote></div><br></div>